Unauthorized access – Digital Age Defensehttp://www.digitalagedefense.org/wp
On regulation of technologyTue, 22 Aug 2017 17:29:08 +0000en-UShourly1https://wordpress.org/?v=4.8.2How Section 1201 of the copyright statute threatens innovationhttp://www.digitalagedefense.org/wp/2015/07/02/how-section-1201-of-the-copyright-statute-threatens-innovation/
http://www.digitalagedefense.org/wp/2015/07/02/how-section-1201-of-the-copyright-statute-threatens-innovation/#commentsThu, 02 Jul 2015 13:44:27 +0000http://www.digitalagedefense.org/wp/?p=869[...]]]>It would take many, many blog posts to fully articulate all the ways that modern copyright law threatens innovation. But one notable way is through Section 1201 of the copyright statute.

As discussed previously, Section 1201 is ostensibly supposed to minimize copyright infringement by making it its own offense to bypass the technical protective measures (TPMs) controlling access to a particular copy of a copyrighted work. (Sometimes these sorts of TPMs are referred to as DRM, or Digital Rights Management.) It is a fair question whether forbidding the bypass of TPMs is at all an effective approach to minimizing infringement, but it’s an even more important question to ask whether the portion of the copyright statute that forbids the bypassing of TPMs does so at the expense of other sections of the statute that specifically entitle people to make certain uses of copyrighted works.

The answer to this latter question is clearly no, and in fact Congress anticipated that it would be “no,” when it put into Section 1201 the requirement that the Copyright Office consider afresh, every three years, whether certain types of TPM bypassing should be deemed specifically permissible, notwithstanding Section 1201’s general prohibition against it. Unfortunately these triennial rulemakings are an extremely cumbersome, expensive, and ineffective way of protecting the non-infringing uses of copyrighted works the public is entitled to make. But the even bigger problem, and the one that I will focus on here, is that Section 1201’s prohibition against bypassing TPMs is increasingly standing in the way of not just non-infringing uses of copyrighted works but non-infringing uses of computing devices as a whole.

In the triennial rulemaking underway members of the public petitioned for a number of exemptions to Sections 1201’s prohibition, which the Copyright Office distilled into 27 classes of exemptions. The first 10 classes generally sought to allow people interact with copies of copyrighted works in ways they were entitled to but that the TPMs controlling the interaction prevented. But the latter classes, 11 through 27, were notable in that, rather than involving the sort of consumption of copyrighted media content DRM is designed to control, they all were classes designed to allow people to interact with computing logic itself.

Some of these classes, like 23 (“Abandoned software – video games requiring server communication”) and 24 (“Abandoned software – music recording software”), sought to allow people to bypass TPMs so that they could actually run the copies of software they legitimately had access to. But for many of these classes petitioners found themselves needing to ask not for exemptions to use copyrighted works in ways that they that the legitimate right to but for exemptions allowing them to use computers in ways they had the legitimate right to use them.

Because particularly for the classes seeking exemptions to modify the functionality of, or perform security research on, devices like phones (Classes 11 and 16), tablets (Class 12), TVs (Class 20), vehicles (Classes 21 and 22), and even computer-chipped medical devices (Class 27), that’s what these devices all are: computers. They just happen to be phone, TV, car, and pacemaker-shaped computers. Like a home PC (which Congress had not explicitly sought to regulate access to in 1998 when it codified Section 1201) they are pieces of computing hardware with circuitry that gets controlled by software. And, just like the home PC, people should be able to use the processing power of their computing devices as they would choose to, regardless of the shapes they come in.

Unfortunately, unless they bypass the TPM they can’t, and unless the Copyright Office grants the exemption they can’t bypass the TPM legally. And that’s a problem, because when people’s exploration of the full contours of their computing devices is limited by the threat of legal sanction, all the innovation and discovery that exploration would have yielded is chilled.

But to the extent that it is copyright law that is causing this chilling, it is a particularly bizarre result. Copyright law is inherently about promoting the progress of the arts and sciences, or, in other words, stimulating innovation and knowledge-sharing. It is completely anathema to copyright law’s constitutional mandate for Section 1201 of the copyright statute to explicitly impose barriers to that discovery.

This contradiction was an important point I made in two setsof comments and testimony submitted as part of this rulemaking process. In them I argued that these exemptions, particularly for classes 11-27, should be granted liberally in order that people’s freedom to tinker with the tools they legitimately possessed not be impinged upon just because those tools happened to contain a TPM. If the Copyright Office were to do nothing and simply let these TPMs continue to block this free exploration with the threat of legal sanction it would be particularly unjust because none of those TPMs were implemented to limit the infringement of copyrighted works. While the software running a device may itself be a copyrighted work, the TPM bypass would not be about violating any of the exclusive rights in that work’s copyright. Rather, the TPM bypass would simply be about getting the device itself to work as its user would choose.

Opponents to these classes argued that, even if the TPMs were not guarding against copyright harms, they prevented other sorts of harms that might result if people could use computing technology with unfettered freedom. For instance, they fretted, with regard to vehicles it was argued that if people could study or modify the software on their cars then brakes would fail, pollution would increase, and other terrible consequences would befall the world. But something important to remember is that by limiting this sort of discovery we also limit all of its benefits as well. If people cannot legally do security research on their cars, for instance, it doesn’t make those cars more secure. It just makes it harder to make them more secure.

Also, it is not the role of copyright to regulate technology use and development (except to the extent that it is designed to stimulate innovation). When the Copyright Office suddenly gets to be the gatekeeper on how people can use their computing technology, while it may forestall some potential negative outcomes to that use, it also forestalls any good ones. Furthermore it prevents any other more appropriate authority better equipped to balance the costs and benefits of technology use to craft more nuanced and effective regulation to address any negative ones. As they would — after all, it’s not like we have been living in the Wild West up until the Copyright Office managed to become inserted into the technology regulation space. For instance, even in the analog world if people modified the physical attributes of their cars – something they never needed the Copyright Office’s blessing to do – other regulators could still speak to whether they would be allowed to drive their modified cars on open roads. These other regulators have not become enfeebled just because the modifications people may choose to make to their cars may now be digital, particularly when the consequences to these modifications are not.

But even when the consequences to how people use their machines are digital, regulators can still address those outcomes. The problem has been that regulating computing use is tricky and up to now we haven’t done it very well. Instead we’ve ended up with laws like the Computer Fraud and Abuse Act (CFAA), laws that are very powerful and just as blunt, which punish beneficial computer uses as much as negative ones. But just because we have not perfected laws governing computer use does not mean that the Copyright Office should simply say no to these uses. In fact, it’s actually reason that the Copyright Office should say yes to them.

One of the problems with the CFAA is that it construes the question of wrongfulness of a computer use based on the permissibility of that action. As a result, without the exemptions we are left in a situation where barriers erected under the auspices of copyright could threaten to become the sole basis by which the CFAA gets its teeth to sanction the very sort of inherently non-infringing activity that copyright law was never intended to prevent. And that’s the bitter irony, because while laws like the CFAA sadly lack any adequate mechanism to assess whether a computer use is a beneficial or otherwise fair use, copyright law by design can, and, indeed, pursuant to its Constitutional origins, must.

For these reasons the Copyright Office should grant all the sought after exemptions, particularly for these latter classes. And it’s also for these reasons that it’s time to amend the copyright statute to remove the bottleneck to innovation Section 1201 has become given how it requires the permission of the Copyright Office before any of this computer use can be allowed.

Thanks to Jeffrey Vagle and others for their help preparing these comments and testimony.

]]>http://www.digitalagedefense.org/wp/2015/07/02/how-section-1201-of-the-copyright-statute-threatens-innovation/feed/1Prenda Law and the CFAAhttp://www.digitalagedefense.org/wp/2013/04/11/prenda-law-and-the-cfaa/
http://www.digitalagedefense.org/wp/2013/04/11/prenda-law-and-the-cfaa/#commentsThu, 11 Apr 2013 23:31:33 +0000http://www.digitalagedefense.org/wp/?p=731[...]]]>The Computer Fraud and Abuse Act is no stranger to these pages. The tragic suicide of Aaron Swartz at the beginning of the year following the relentless pursuit of the Department of Justice against him for his downloading of the JSTOR archive has galvanized a reform movement to overhaul – or at least ameliorate – some of the most troublesome provisions of the CFAA.

One such provision can be found at 18 U.S.C. § 1030(g), which creates a civil cause of action for a party claiming to be aggrieved by the purported wrongdoings described in subsection (a). While civil causes of action are generally beyond the scope of this blog, having a civil cause of action buried in a statute designed to enable criminal prosecutions can be problematic for defendants facing the latter because the civil litigation, as it explores the contours of the statute and its internal definitions, tends to leave in its wake precedent that prosecutors can later use. Which is unfortunate, because how the statute may be interpreted in a civil context — which inherently can only reflect the particular dynamics of the particular civil dispute between these particular private parties — reshapes how the statute will be interpreted in a criminal context. Especially with a law like the CFAA, whose language always tempts excessive application, these civil precedents can vastly expand the government’s prosecutorial power over people’s technology use, and easily in a way Congress never intended. One should also never presume that the outcome of a civil dispute correlates to a result that is truly fair and just; miscarriages of justice happen all the time, often simply because it is often so difficult and expensive to properly defend against a lawsuit, especially one asserting a claim from such an imprecisely-drafted and overly broad statute like the CFAA.

In a sense, Prenda Law is nothing new. The copyright statute has evolved in a way that allows putative copyright holders to easily threaten very scary and expensive infringement lawsuits against people who have digitally shared copyrighted material, such as music or movies. Whether these lawsuits are truly defensible either in law or sound policy is beyond the scope of this post, and in many ways also irrelevant to it. Whether justified or not, the possibility of being on the receiving end of such a lawsuit is usually enough to induce a defendant into a preemptive settlement for an amount that, while likely less than their potential financial exposure would be should the matter proceed to court, is still a non-negligible amount of money (and likely also well beyond any potential damage actually incurred by the copyright holder). As a result it’s very easy for a copyright holder to profit simply by finding enough people to just *threaten* with a lawsuit, and many have made a business of doing exactly this. It’s especially easy for them to do when the copyrighted material alleged to have been infringed is adult in nature and would likely lead to much embarrassment should it become public that a potential defendant had downloaded it. This sort of reputational blackmail is one of the hallmarks of the Prenda Law enterprise.

Other hallmarks relate to how Prenda Law has tended to prosecute its actions. Ostensibly Prenda Law is simply a law firm hired by a copyright-owning client to pursue people alleged to have fileshared the adult movies the client claims to own the rights to. These pursuits would be problematic enough on their own for the reasons described above. What makes them particularly odious in these cases, however, is that Prenda Law may not actually be a separate entity apart from its client. It may not simply be a law firm zealously advocating for its client’s interests, as a law firm can appropriately be expected to do. What has recently been brought to light is that Prenda Law appears to be one and the same as the “client” it portends to represent, and that it (a) obfuscated this fact in a way that compromised defendants’ abilities to defend themselves, and (b) potentially perpetrated a fraud on the court through its conduct, often in violation of various rules designed to keep the judicial process as equitable and fair for all parties as possible. Serious judicial inquiry is now being made into how Prenda Law and its principals have comported themselves, and people are increasingly becoming aware of the potentially criminal aspects of the Prenda Law litigation model.

Prenda Law is most noted for having used copyright claims as its method for extracting money from its marks, but it is important not to overlook how it has also used the CFAA to similar ends. It has already filed multiple lawsuits, and a recent defense filing in one of the copyright cases includes an affidavit from defense counsel in one of those CFAA-based cases alleging the same sort of malfeasance exhibited in the copyright cases, including the same obfuscation of the lawyers’ controlling interest in the plaintiff. Also of note in the CFAA cases is the use of questionable forensics to identify the target of the lawsuits, the same questionable forensics that judges have begun to reject in the copyright cases.

Prenda Law’s abusive litigation should be exceptional. If everything alleged about it is true it has comported itself so far beyond the rules and ethics of the legal profession that its behavior should not be the single determining factor for evaluating whether a legal provision – be it in copyright, the CFAA, or otherwise – is sound or not. Few others should ever be expected to act with similar hubris. But laws are tools we arm parties with, and we need to make sure we temper their power lest even a more noble litigant be tempted to wield them in a way that would lead to a similarly unjust result. Unfortunately the CFAA, as currently written, includes no such tempering, as it enables any litigant to benefit from its unrealistically expansive definitions of wrongfulness, with the added threat of an associated criminal sanction to further intimidate its target. As part of CFAA reform all these overbroad provisions should be narrowed if not outright deleted, but at minimum the subsection empowering civil litigants to use its measures should be stricken. As shown in this chart private parties don’t need access to this law to seek redress to the sort of harm the CFAA is thought to assuage (it may similarly be unnecessary for prosecutors to use it either), and giving them access to it has only enabled them, and the government, to overuse it in a way that creates its own harm.

]]>http://www.digitalagedefense.org/wp/2013/04/11/prenda-law-and-the-cfaa/feed/1Follow, not leadhttp://www.digitalagedefense.org/wp/2013/02/20/follow-not-lead/
Wed, 20 Feb 2013 18:37:01 +0000http://www.digitalagedefense.org/wp/?p=704[...]]]>At an event on CFAA reform last night I heard Brewster Kahle say what to my ears sounded like, “Law that follows technology tends to be ok. Law that tries to lead it is not.”

His comment came after an earlier tweet I’d made:

I think we need a per se rule that any law governing technology that was enacted more than 10 years ago is inherently invalid.

In posting that tweet I was thinking about two horrible laws in particular, the Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA). The former attempts to forbid “hacking,” and the second ostensibly tried to update 1968’s Wiretap Act to cover information technology. In both instances the laws as drafted generally incorporated the attitude that technology as understood then would be the technology the world would have forever hence, a prediction that has obviously been false. But we are nonetheless left with laws like these on the books, laws that hobble further innovation by how they’ve enshrined in our legal code what is right and wrong when it comes to our computer code, as we understood it in 1986, regardless of whether, if considered afresh and applied to today’s technology, we would still think so.

To my tweet a friend did challenge me, however, “What about Section 230? (47 U.S.C. § 230).” This is a law from 1996, and he has a point. Section 230 is a piece of legislation that largely immunizes Internet service providers for liability in content posted on their systems by their users – and let’s face it: the very operational essence of the Internet is all about people posting content on other people’s systems. However, unlike the CFAA and ECPA, Section 230 has enabled technology to flourish, mostly by purposefully getting the law itself out of the way of the technology.

The above are just a few examples of some laws that have either served technology well – or served to hamper it. There are certainly more, and some laws might ultimately do a bit of both. But the general point is sound: law that is too specific is often too stifling. Innovation needs to be able to happen however it needs to, without undue hindrance caused by legislators who could not even begin to imagine what that innovation might look like so many years before. After all, if they could imagine it then, it would not be so innovative now.

]]>The illegality of unlocking your cell phone (and more)http://www.digitalagedefense.org/wp/2013/01/29/the-illegality-of-unlocking-your-cell-phone-and-more/
Tue, 29 Jan 2013 22:34:12 +0000http://www.digitalagedefense.org/wp/?p=662[...]]]>In 1998 the Digital Millennium Copyright Act amended U.S. copyright law in a few key ways. Of most relevance here is the additions it made to 17 U.S.C. §§1201 et seq., which includes the provision:

“No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” §1201(a)(1)(A)

If one does, they can be liable for damages, §1203(c), or, more saliently for this blog, fines of $500,000 and/or 5 years imprisonment for the first offense and $1,000,000 and/or 10 years for subsequent ones. §1204(a).

The question here is, why?

Historically the “why” is that the US entered into a 1996 treaty obligating it to:

“provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by performers or producers of phonograms in connection with the exercise of their rights under this Treaty and that restrict acts, in respect of their performances or phonograms, which are not authorized by the performers or the producers of phonograms concerned or permitted by law.” WIPO Performances and Phonograms Treaty (WPPT), Article 18.

But why such a prohibition needed to be enshrined in copyright law at all, much less with criminal penalties, is a separate question, and one without a very good answer. Copyright law already prohibits copying without permission and provides ample (if not more than ample) civil damages remedies. It may be thought by some that the ease of copying digital media on digital devices requires further obstacles, such as technical measures, in order to temper the activity, but even if that were true, if the success of these technical measures as obstacles to copying depends on having their own law prohibiting their evasion, they aren’t really very effective as obstacles. Moreover, if the behavior is so ordinary and common that legal sanctions have to be threatened in order to stop it, it’s time to re-evaluate whether the underlying action warrants legal prohibition at all.

In any case, even if one accepts the argument that copying the works of “performers or producers of phonograms” causes a harm so worth redressing by newly-created legal sanctions, it still does not follow that the prohibition against bypassing technological measures should apply to those bypassed for any other purpose, or that the act of bypassing them should be a criminally prosecutable offense. Which returns us to the example of the cell phones.

In the United States cell phones are often locked to particular cell phone carriers, even for non-carrier-subsidized handsets that their owners funded the purchase of themselves. Locking such devices is seemingly good for the carriers because it dissuades their customers from switching to other carriers, lest they need to purchase a whole new handset, but it’s certainly not good for customers because it ties them to carriers without those carriers needing to compete to keep their business. On balance there is no redeeming policy value justifying such locking, and, moreover, there is no copyright interest that can legitimately sound in it either. And yet, thanks to the DMCA, bypassing the technological measures locking cell phones may be just as illegal as bypassing the technological measures that prevent a song from being copied (an act that also may be completely justified and legal, but at least is more likely to implicate a copyright interest).

Now, the DMCA does have some exemptions to its prohibition. Some are codified directly into the statute, and others are left to the Library of Congress to consider and carve out further exemptions for. In previous years the Library of Congress had provided for an exemption to bypassing the locks on cell phones, but that exemption has now expired.

Theoretically such bypassing may also not be illegal: somecourts have ruled that the DMCA’s prohibition on bypassing technological measures can only apply when there is an underlying copyright interest at stake, which doesn’t appear to be present in the case of unlocking cell phones. But with the threat of a potential 5 year jail sentence and half a million dollar financial penalty, who would want to take the chance that they would ultimately be acquitted should an overzealous prosecutor try to charge them for unlocking those phones anyway? The statute is slightly constrained in its application to unlocking “willfully” done and only “for purposes of commercial advantage or private financial gain,” §1204(a), so individual cell phone owners may be able to get away with unlocking their own phones, but they had better know how to do it themselves. Should they pay someone to unlock their phones for them that party might easily find themselves at the receiving end of a prosecution.

It is also questionable how any sort of criminal sanction for any sort of bypassing of any sort technological measure for any sort of purpose is appropriate, under the copyright statute or otherwise. While we may prosecute lock bypass in other contexts, copyright interests are not the sort of property interests criminal law has evolved to protect. At most they can be infringed; they are not taken in any way analogous to an actual theft, and copyright law is perfectly capable of providing redress for any such infringements. It doesn’t need the assistance of this artificial barrier to prevent copying, especially not one as heavy-handed as this one that chills any legitimate copying as much as it may any infringing — or any other legitimate device access as well. If a few codified carve-outs and periodic exemptions, and the temperance of prosecutors, are all that stand between people being able to use and access their content and devices as they have the right to and the possibility of prison, then something is gravely wrong with this law.

]]>A crime of permissionhttp://www.digitalagedefense.org/wp/2013/01/21/crime-of-permission/
http://www.digitalagedefense.org/wp/2013/01/21/crime-of-permission/#commentsTue, 22 Jan 2013 03:35:36 +0000http://www.digitalagedefense.org/wp/?p=641[...]]]>The 13-count superseding indictment (now dismissed) against Aaron Swartz basically boiled down to two major complaints: he accessed a computer system, and then downloaded files, without permission to do either.

It was not completely unprecedented in the pre-digital age to penalize acts that at their essence were about doing something without permission. Trespass, for instance, can be criminally prosecuted if someone has entered another’s real property without their permission. But (per the Model Penal Code § 221.2) it is typically prosecuted as a petty misdemeanor, commensurate with the negligible resulting harm. In instances where more serious harm resulted, a harm that could be properly measured in real word dimensions, such as the deprivation or destruction of real or immovable property, then a separate crime could be charged, such as theft – one targeted to address that violent sort of outcome. But even in those cases the crime and its commensurate penalty would hinge on the resulting harm, not the underlying lack of permission (see, e.g., Model Penal Code explanatory note §§ Sections 220.1-220.3). On its own, merely doing something without permission has not been something US law has sought to punish with serious charges carrying lengthy prison sentences.

In Aaron Swartz’s case, however, while his actions, even if true as alleged, resulted in no more measureable harm than an ordinary trespass would have, he was nonetheless charged with multiple felonies.
Each felony charge comprised part of a vicious cycle, with each being predicated on the existence of the last. But at the heart of the indictment is a fundamental misunderstanding of the purported wrongfulness connected with the file downloading. The undisputed facts in this respect are basically thus: The JSTOR archive is a repository of academic articles. Notably Aaron actually had permission to access and download them, although it may be true that in granting that access JSTOR had not contemplated on them having been downloaded in bulk. On the other hand, it does not appear that such permission had been explicitly withheld. Furthermore, Aaron’s downloading of the files in no way deprived JSTOR of anything. The files didn’t disappear from their machine as they were copied onto Aaron’s; they remained exactly where they always were.

Thus the prosecutor’s insistence that this downloading was somehow “theft” (see paragraph 30 of the indictment) fails in both physical and legal terms. In the non-digital world theft involves depriving someone of their property. However no such deprivation of property existed here, thereby rendering it legally incorrect to punish the act as if it were one that would cause it, and then to compound it by using that perceived wrongfulness as a basis for collateral charges.

Of course, no deprivation of property is required for the real world crime of burglary. Like trespass, burglary punishes an unauthorized access, but only one made for the purpose of committing some other crime that would result in its own measurable harm. (See Model Penal Code § 221.1. Note also that the nomenclature and particular requirements for these various crimes may vary from jurisdiction to jurisdiction, but the MPC is being cited here because of how it serves to encapsulate how crime is generally thought of in American law.) It’s not the unauthorized access itself that conditions the seriousness of the charge; it’s the intent to cause the measurable harm that is. Having laws like burglary on the books provides a way to prosecute an attempted crime that would have had real, measurable effects had it ever reached fruition; they aren’t about punishing a permission-less access for its own sake. Which, unfortunately, the Computer Fraud and Abuse Act currently does.

Ostensibly the CFAA, a recent statute ill-fitting the realities of modern computing, sometimes predicates its punishment on the consequences of the purportedly wrongful access of a computer system, but unlike burglary it is largely divorced from any actual criminal accounting of those consequences and at times (see 18 U.S.C. § 1030(a)(2)(c)) requires no destructive harm at all. For purposes of the CFAA the access alone is what’s wrongful.

But reform is also needed with respect to the underlying wrong the prosecution originally perceived Aaron to be guilty of when he downloaded those articles. The prosecution reacted as though it were a violent destruction of person or property, when it clearly was not. At most he would have been liable for copyright infringement, an act that can be fully redressed through private civil suits without the need – or indeed, the right– for the state to weigh in, especially in such a disproportionate way. It is in this regard, criminalizing access to information beyond one’s permission to have it, that the most reform is needed.

These actions challenged the status quo, however, and the status quo fought back. For those who treat knowledge as a currency that can be horded, acts to free it are seen as a threat. Unfortunately for Aaron, those people have power, and they wielded it against him. Furthermore, and most saliently for this project, it happened not through private actions, but by leveraging the power of the state to pursue and criminally prosecute him for his efforts.

Thus the parallel purpose of this project is to help advocate for better legal policy, so that we don’t empower the state to punish our innovators for innovating. The disruption they spawn, though perhaps painful for incumbents who liked things as they were, are necessary in order to have a future that benefits everyone.

]]>Cracking v. hackinghttp://www.digitalagedefense.org/wp/2012/01/11/cracking-v-hacking/
Wed, 11 Jan 2012 17:17:27 +0000http://www.digitalagedefense.org/wp/?p=432[...]]]>A word about “hacking.” Hacking is a word often colloquially misused to describe the unauthorized access of a computer system. Among self-described hackers, however, the correct term to describe such behavior is “cracking,” as in “safe cracking.” “Hacking” instead describes a far more neutral, or even beneficial activity: the creative problem solving involved in engineering a solution. (Links point to Eric Raymond’s Jargon File.)

It would greatly assist policy discussion to keep these terms clear, particularly given the interest in criminalizing the unauthorized access of computer systems. Associating the activities of hacking with the more pejorative definition loses nuance and tends to lead to the criminalization of more benign, even objectively good, technology uses.

Thus this site will endeavor to use the correct term as much as possible. But when citing other media it may necessarily parrot whatever word was used, however incorrectly.

Edit 2/20/13: I’ve realized I’m shouting into the wind on this issue. “Hacking” is too colloquially accepted to describe all sorts of innovative applications of technology, good and bad, to ever completely avoid. But I will remind others that the term does indeed describe both good uses and bad uses and should not be presumed to be a pejorative.

]]>Lessons from an early example of technology hackinghttp://www.digitalagedefense.org/wp/2011/12/29/lessons-from-an-early-example-of-technology-hacking/
Thu, 29 Dec 2011 15:57:25 +0000http://www.digitalagedefense.org/wp/?p=362[...]]]>Paul Marks has a fascinating article at The New Scientist about an old example of hacking.

LATE one June afternoon in 1903 a hush fell across an expectant audience in the Royal Institution’s celebrated lecture theatre in London. Before the crowd, the physicist John Ambrose Fleming was adjusting arcane apparatus as he prepared to demonstrate an emerging technological wonder: a long-range wireless communication system developed by his boss, the Italian radio pioneer Guglielmo Marconi. The aim was to showcase publicly for the first time that Morse code messages could be sent wirelessly over long distances. Around 300 miles away, Marconi was preparing to send a signal to London from a clifftop station in Poldhu, Cornwall, UK.

Yet before the demonstration could begin, the apparatus in the lecture theatre began to tap out a message. At first, it spelled out just one word repeated over and over. Then it changed into a facetious poem accusing Marconi of “diddling the public”. Their demonstration had been hacked – and this was more than 100 years before the mischief playing out on the internet today. Who was the Royal Institution hacker? How did the cheeky messages get there? And why?

There are a lot of lessons in this tale of use for us today.

A key one highlighted by the article is the importance of hacking in innovation. Marconi had thought his radio system was secure. Turns out he was wrong.

Marconi had patented a technology for tuning a wireless transmitter to broadcast on a precise wavelength. This tuning, Marconi claimed, meant confidential channels could be set up. Anyone who tunes in to a radio station will know that’s not true, but it wasn’t nearly so obvious back then. Maskelyne showed that by using an untuned broadband receiver he could listen in.

Would society have benefited from use of a technology that its creator insisted was secure but apparently wasn’t? Of course not. But is it reasonable for society to expect the innovator to expose all of the technology’s achilles heels? Of course not again. Hackers thus form a sort of necessary peer review, putting technology through its paces to make sure it can stand up as advertised. It does no one any good for this vetting not to take place — or, worse, to criminalize it! — and make the oblivious public vulnerable to exploits that are obviously there, whether anyone ever gets to publicly discuss them or not.

In this instance Marconi accused his hacker of professional jealousy and malice, and he may have been right.

[The hacker] was Nevil Maskelyne, a mustachioed 39-year-old British music hall magician. Maskelyne came from an inventive family – his father came up with the coin-activated “spend-a-penny” locks in pay toilets. Maskelyne, however, was more interested in wireless technology, so taught himself the principles. He would use Morse code in “mind-reading” magic tricks to secretly communicate with a stooge. He worked out how to use a spark-gap transmitter to remotely ignite gunpowder. And in 1900, Maskelyne sent wireless messages between a ground station and a balloon 10 miles away. But, as author Sungook Hong relates in the book Wireless, his ambitions were frustrated by Marconi’s broad patents, leaving him embittered towards the Italian. Maskelyne would soon find a way to vent his spleen.

But it hardly makes a difference what his feelings toward Marconi were: bottom line, the technology was vulnerable. It was, of course, also valuable, even with these vulnerabilities, but surely it could be even more valuable if others could contribute their improvements. As the article notes, however, this was difficult, thanks to Marconi’s “broad patents.”

Anyone who has ever watched or read any of James Burke’s work knows that innovation does not happen in a vacuum. It is built on that which has gone before. But law has a way of creating artificial vacuums, boxing out further innovations through intellectual property controls and prohibitions against hacking. It is worth considering whether doing so is truly effective. As the saying goes, “two heads are better than one.” The contributions of many of course will be greater than the contributions of just one. Rather than forbidding it, the law should instead be encouraging that sort of collaboration; further innovation depends on it.

]]>US v. Nosal backgroundhttp://www.digitalagedefense.org/wp/2011/12/10/us-v-nosal-background/
Sat, 10 Dec 2011 19:47:00 +0000http://www.digitalagedefense.org/wp/?p=190[...]]]>A key case involving the Computer Fraud and Abuse Act will be heard by an en banc panel of the Ninth Circuit Court of Appeals on Thursday. More will inevitably said about this case, this law, and the underlying policy to define, deter, and punish “hacking,” but for the moment, this article provides a good summary of the salient issues from the upcoming hearing: “When Computer Misuse Becomes a Crime,” Ginny LaRoe, The Recorder, Dec. 9, 2011. (h/t @Dissent)
]]>Michigan man facing hacking charge for accessing wife’s emailhttp://www.digitalagedefense.org/wp/2011/12/08/michigan-man-facing-hacking-charge-for-accessing-wifes-email/
Fri, 09 Dec 2011 06:57:57 +0000http://www.digitalagedefense.org/wp/?p=170[...]]]>From the Detroit Free Press, Leon Walker is facing a five-year felony charge after accessing now-ex-wife Clara Walker’s Gmail account to see whether she was having an affair. A 1979 Michigan law prohibits accessing a computer system without consent.

Walker and his attorneys, Leon Weiss and Matthew Klakulak, said the law was never intended for domestic matters, but was designed to prevent identity theft and the theft of trade secrets.

Earlier this year, the attorneys asked the appellate court to throw out the charges. On Tuesday, three appellate judges peppered Klakulak with questions, asking why Walker’s actions weren’t unlawful hacking.

Klakulak said the law was “ambiguous” and wasn’t intended for “ridiculously innocuous conduct” like peeping at a family member’s Gmail account.

But judge Pat Donofrio said Walker’s actions appear to fall squarely under the law the way it was written.

“Your client is being charged with securing intellectual property — her e-mail, accessing her intellectual property,” he said.

Klakulak also argued legislators never intended the law to be used for snooping spouses and that if it’s used as such, it could criminalize activities such as parents monitoring their children’s online activities.

]]>Water hack wasn’thttp://www.digitalagedefense.org/wp/2011/12/05/water-hack-wasnt/
Tue, 06 Dec 2011 06:54:15 +0000http://www.digitalagedefense.org/wp/?p=122[...]]]>Recently it appeared the fear of a foreign hacker penetrating the online systems of American infrastructure had been realized with news that a Russian hacker had attacked and disabled a pump in an Illinois water system. These fears have now been shown to be misplaced: the supposed “hack” was a login by an engineer traveling in Russia at the time he was requested to perform some work on the system, and the pump broke down on its own, unrelatedly, months later.

Vulnerabilities of public infrastructure are not an idle concern. The Stuxnet virus, which specifically targeted nuclear facilities in Iran, illustrates that infrastructure can be a compelling target and quite feasible to affect if those systems are not properly protected.

But the water system “hack” shows that proper protection of infrastructure — and, accordingly, any law intended to advance this — needs to be done carefully, with clear understanding of the actual threat and competent engineering not prone to panicked histrionics. From the BBC article about it:

“Nobody checked with anybody. Lots of people assumed things they shouldn’t have assumed, and now it’s somebody else’s fault and we’re into a finger-pointing marathon,” wrote Nancy Bartels.

“If the public can be distracted from the issue of how DHS and ISTIC fumbled notification so badly, then nobody will be to blame, which is what’s really important after all.

“Meanwhile, one of these days, there’s going to be a really serious infrastructure attack, and nobody’s going to pay attention because everyone is going to assume that it’s another DHS screw-up.”